A hacker behind a major data breach at Coinbase, the largest cryptocurrency exchange in the United States, has laundered approximately $42.5 million in stolen Bitcoin through the decentralized protocol THORChain—while openly mocking blockchain investigator ZachXBT with an on-chain taunt.
The breach, which compromised the personal data of more than 69,000 users, was first disclosed on May 11 in a filing with the Maine Attorney General’s office. According to the report, the attack occurred in December 2024 and allegedly involved bribed Coinbase support contractors in India who provided access to sensitive customer information, including names and home addresses.
Coinbase estimates the financial impact of the breach could range from $180 million to $400 million, covering remediation, user reimbursements, and litigation. The company has terminated the implicated employees and rejected a $20 million ransom demand from the hackers, instead offering a $20 million bounty for information leading to their identification.
On May 21, blockchain monitoring firm PeckShield reported that the hacker swapped $42.5 million in Bitcoin for Ethereum using THORChain, a decentralized protocol that facilitates cross-chain asset swaps without intermediaries. The following day, 8,697 ETH was converted into 22 million DAI, a dollar-pegged stablecoin. A connected wallet holding 9,081 ETH similarly swapped its balance for 23 million DAI, underscoring how decentralized protocols are being used to obscure the flow of illicit funds.
The hacker also embedded a provocative message in one Ethereum transaction: “L bozo,” along with a link to a YouTube clip of NBA Hall of Famer James Worthy smoking a cigar—seemingly aimed at ZachXBT, a well-known independent blockchain investigator. ZachXBT shared the message on his Telegram channel, connecting it to the Coinbase breach and warning users of related phishing attempts exploiting stolen data.
The use of THORChain has raised concerns among regulators and security experts. In March, the protocol processed over $1.4 billion in illicit funds linked to a Bybit hack allegedly orchestrated by North Korea’s Lazarus Group—a cybercrime organization suspected in the Coinbase incident as well. Between 2007 and 2023, Lazarus is believed to have stolen more than $3 billion in digital assets, often using decentralized tools like THORChain to launder funds and evade detection.
In the wake of the Coinbase breach, at least six lawsuits were filed in mid-May, accusing the exchange of negligent security practices and delayed disclosure. Andy Zhou, co-founder of blockchain security firm BlockSec, told CoinDesk that Coinbase failed to detect red flags, including abnormal data downloads by insider actors. The breach has reignited fears of physical threats to victims, similar to those following a 2021 Ledger hardware wallet data leak.
Coinbase has pledged to reimburse impacted customers, especially those who fell victim to follow-up social engineering schemes. The company is also rolling out stricter insider-threat detection systems and relocating its customer support operations to the United States.
“No passwords, private keys, or funds were exposed, and Coinbase Prime accounts remain unaffected,” a spokesperson said.
The Securities and Exchange Commission is reportedly investigating the breach’s timing, which coincided with Coinbase’s addition to the S&P 500, raising concerns about potential investor misinformation.
While the hacker remains unidentified, the incident underscores the persistent tension between the innovative power of decentralized finance and its susceptibility to exploitation. As investigators like ZachXBT continue to trace digital breadcrumbs, the broader crypto industry faces mounting pressure to improve transparency and fortify user security.
Join our Telegram Channel